

In addition, we build open source tools such as zxcvbn, use bcrypt password hashing, and offer Universal 2nd Factor authentication to all users.

We’ve implemented a broad set of controls including independent security audits and certifications, threat intelligence, and bug bounties for ethical hackers. We have dedicated security teams that work to protect our services and monitor for compromises, abuse, and suspicious activity. Still, as one of many precautions, we’re requiring anyone who hasn’t changed their password since mid-2012 to update it the next time they sign in. Based on our threat monitoring and the way we secure passwords, we don’t believe that any accounts have been improperly accessed. Our analysis suggests that the credentials relate to an incident we disclosed around that time. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe was obtained in 2012. Our security teams are always watching out for new threats to our users.

We also recommend that you enable two-step verification. However, for any of you who’ve used your Dropbox password on other sites, we recommend you change it on Dropbox and other services. If you don’t receive a prompt, you don’t need to do anything. We provide a password strength meter to help you. If prompted, all you need to do is choose a new and strong password. We’re doing this purely as a preventive measure, and there is no indication that your account has been improperly accessed. If you signed up for Dropbox prior to mid-2012 and haven’t changed your password since, you’ll be prompted to update it the next time you sign in. Also, please be alert to spam or phishing because email addresses were included in the list. We recommend that you create strong, unique passwords, and enable two-step verification.

If you signed up for Dropbox before mid-2012 and reused your password elsewhere, you should change it on those services. This reset ensures that e ven if these passwords are cracked, they can’t be used to access Dropbox accounts. We then emailed all users we believed were affected and completed a password reset for any one who hadn’t updated their password since mid- 2012. We first heard rumors about this list two weeks ago and immediately began our investigation. Based on our analysis, the credentials were likely obtained in 2012. We’re very sorry this happened and would like to clear up what’s going on. The list of email addresses with hashed and salted passwords is real, however we have no indication that Dropbox user accounts have been improperly accessed. UPDATE 8/31 at 2:15pm PT Since our original post, there have been many reports about the exposure of 68 million Dropbox credentials from 2012.
